Prioritizing Data Privacy to Insure your Startup’s Future

Executives at organizations of every size recognize that data privacy and cybersecurity matters must be taken seriously and prioritized by their teams. However, for start-up founders, managing data privacy and cyber security risk can feel like another task in a never-ending line of administrative duties needed to get your business up and running.

In our experience working with startups, we find that most business leaders in their early stages are laser-focused on sales, marketing and fundraising – at times to the detriment of their organization's risk management. Data privacy usually takes a back-seat to revenue-generating deliverables when time and resources are already stretched thin.

But simply put, ignoring your company's data privacy and cybersecurity obligations may undermine everything else that you are working for your startup to achieve.

A single data breach can be fatal to an emerging growth company.

Data breaches create a lack of trust and deter customers and investors from being excited about what your company can offer them.

These privacy issues are now so important - and highly visible, that savvy investors now require issuers to address and remediate any gaps in their data privacy and cyber security plans.

The National Venture Capital Association (NVCA) Model Legal Documents, the nationwide industry standard documents for venture capital (VC) financing, has addressed this in Section 5.13 of the model Investors' Rights Agreement.

In summary, this section provides that businesses do the following within 180 days of closing:

Identify protected data.
Implement cybersecurity solutions to protect the data.
Ensure routine maintenance of cybersecurity solutions
Require security vendors to provide notification of any incidents.
Evaluate cybersecurity measures at least annually.
Educate employees about the proper use and storage of protected data, including training.

What this Section 5.13 of the Investors' Rights Agreement makes clear is that the issuing company is obligated to address their data privacy and cybersecurity risks. Failure to do so can give investors the basis to allege breach of this contract, as well as claims for breach of fiduciary duty. That being said, this language is broad and still leaves a great deal up to the interpretation of the company.

Rather than waiting for conditions to be imposed by investors, all companies - and especially startups, should prioritize and proactively address their data privacy and cybersecurity risks.

In the wide world of continuously evolving data privacy and cybersecurity regulation and requirements, plotting a course to address these issues presents challenges is easier said than done.

To that end, we developed a checklist of things that startup CEOs, COOs, & CFOs should start with:

Snapshot of our Data Privacy and Cyber Security Checklist:

Protected Data Inventory and Mapping Risk Assessment
Data Privacy and Security Program plan
Development and implementation of privacy and security tasks

Han Santos attorneys can help your emerging growth company evaluate your data and work through the privacy checklist to ensure that your marketing efforts are not overshadowed by cybersecurity issues. Contact us to learn more.

Cookie	Duration	Description
__cfruid	session	Set by Cloudflare. Cookie associated with sites using CloudFlare, used to identify trusted web traffic. Learn more about Cloudflare cookies.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
cf_clearance	session	Set by Cloudflare. Used to verify user is not a bot. Learn more about Cloudflare cookies.
hubspotutk	1 year	Set by HubSpot. This cookie keeps track of a visitor’s identity. It is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
__hssc	30 minutes	Set by HubSpot. This cookie keeps track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
__hssrc	session	Set by HubSpot. Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
__hstc	13 months	Set by HubSpot. The main cookie for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).

Cookie	Duration	Description
_ga	2 years	Set by Google. Used to distinguish users on the Google Analytics platform. Google’s policies can be viewed here.
_ga_RJQRHRDJNC	2 years	Set by Google. Used to persist session state. Google’s policies can be viewed here.
_gat_gtag	1 minute	Set by Google. Used to analyze visitor browsing habits, flow, source and other information. Google’s policies can be viewed here.
_gid	24 hours	Set by Google. Used to distinguish users on the Google Analytics platform. Google’s policies can be viewed here.

Prioritizing Data Privacy to Insure your Startup’s Future

A single data breach can be fatal to an emerging growth company.

In summary, this section provides that businesses do the following within 180 days of closing:

Snapshot of our Data Privacy and Cyber Security Checklist:

Featured

Menu